governance: add trial period for new web-infra members#95
Open
governance: add trial period for new web-infra members#95
Conversation
Addresses #8. New Web Infra Team members now undergo a 3-month trial period with reduced permissions to build competence and trust before receiving full infrastructure access. Changes: - GOVERNANCE.md: Add trial period policy under Web Infra Team section - PERMISSIONS.md: Document trial member permission levels - onboarding/web-infra.md: Split onboarding into trial and post-trial phases
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a formal “trial period” onboarding policy for new @nodejs/web-infra members, documenting reduced initial access to external infrastructure services before granting full privileges.
Changes:
- Add a “Trial Period for New Members” policy section to Web Infra governance.
- Add a trial-vs-full external service permissions comparison table.
- Restructure the Web Infra onboarding checklist into Phase 1 (trial) and Phase 2 (post-trial full access).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
GOVERNANCE.md |
Defines the 3-month trial period policy, expectations, and assessment criteria for Web Infra. |
PERMISSIONS.md |
Documents trial vs post-trial access levels per external service and clarifies GitHub permissions are unchanged. |
onboarding/web-infra.md |
Splits onboarding steps into trial-period access tasks and post-trial elevation tasks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | **[1Password][]** | - | Admin | Not granted during trial; credentials shared on a case-by-case basis by an existing member. | | ||
| | **[Atlassian Statuspage][]** | Read | App Admin | Public status page is accessible to everyone; management access is granted after trial. | | ||
| | **[Chromatic][]** | Read | Admin | Read access available via GitHub authentication. | | ||
| | **[Cloudflare][]** | Read | Read | Read-only access is sufficient for day-to-day; elevated access may be granted on a case-by-case basis post-trial. | |
There was a problem hiding this comment.
Terminology is inconsistent across docs: GOVERNANCE.md/onboarding use “Read-only”, while this table uses “Read”. Aligning on a single term (ideally the exact role name used by each provider) would reduce confusion when granting access.
Suggested change
| | **[Cloudflare][]** | Read | Read | Read-only access is sufficient for day-to-day; elevated access may be granted on a case-by-case basis post-trial. | | |
| | **[Cloudflare][]** | Read-only | Read-only | Read-only access is sufficient for day-to-day; elevated access may be granted on a case-by-case basis post-trial. | |
Comment on lines
14
to
+18
| - [ ] Add the **Nominee** to the @nodejs/web-infra team on GitHub. | ||
| - [ ] The **Nominee** should open an issue in [nodejs/admin](https://github.com/nodejs/admin) requesting access to the Web Infra 1Password vault. | ||
| - [ ] Grant the **Nominee** access to Sentry. | ||
| - [ ] The **Nominee** should enable physical or passkey 2FA on their Sentry account. | ||
| - [ ] Grant the **Nominee** access to Vercel. | ||
| - [ ] The nominee should enable physical or passkey 2FA on their Vercel account. | ||
| - [ ] Grant the **Nominee** _Viewer_ access to Vercel. | ||
| - [ ] The Nominee should enable physical or passkey 2FA on their Vercel account. | ||
| - [ ] Grant the **Nominee** _Read-only_ access to Sentry. | ||
| - [ ] The Nominee should enable physical or passkey 2FA on their Sentry account. |
There was a problem hiding this comment.
The onboarding checklist describes trial-period access grants, but it doesn’t include any step for the Cloudflare read-only access mentioned in the PR description and in GOVERNANCE.md. Either add an explicit onboarding task (e.g., request/add the nominee in Cloudflare via the owning team) or clearly state in this phase that Cloudflare access is handled separately/optional due to @nodejs/build ownership.
Comment on lines
+16
to
+18
| - [ ] The Nominee should enable physical or passkey 2FA on their Vercel account. | ||
| - [ ] Grant the **Nominee** _Read-only_ access to Sentry. | ||
| - [ ] The Nominee should enable physical or passkey 2FA on their Sentry account. |
There was a problem hiding this comment.
Inconsistent formatting/capitalization for “Nominee”: elsewhere in the onboarding docs the term is consistently bolded as Nominee, but these sub-tasks use plain “Nominee”. Aligning this keeps the checklist consistent and easier to scan.
Comment on lines
+41
to
+47
| | **[Cloudflare][]** | Read | Read | Read-only access is sufficient for day-to-day; elevated access may be granted on a case-by-case basis post-trial. | | ||
| | **[Crowdin][]** | Read | Admin | Read access to review translations; admin access after trial. | | ||
| | **[Sentry][]** | Read | Admin | Read access to view error reports and logs; admin access after trial. | | ||
| | **[Vercel][]** | Viewer | Developer | Viewer access allows reviewing deployments and checking logs; Developer access after trial. | | ||
|
|
||
| > [!NOTE] | ||
| > GitHub repository permissions are **not** affected by the trial period. New members receive the same repository-level access as all @nodejs/web-infra members from day one. |
There was a problem hiding this comment.
The trial-period table includes Cloudflare “Read” access, but the onboarding checklist doesn’t currently mention how/when Cloudflare access is granted (and the main External Services table notes it’s controlled by @nodejs/build). Consider clarifying in this section whether Cloudflare access is expected during the trial, and if so, how it’s coordinated with the owning team.
Suggested change
| | **[Cloudflare][]** | Read | Read | Read-only access is sufficient for day-to-day; elevated access may be granted on a case-by-case basis post-trial. | | |
| | **[Crowdin][]** | Read | Admin | Read access to review translations; admin access after trial. | | |
| | **[Sentry][]** | Read | Admin | Read access to view error reports and logs; admin access after trial. | | |
| | **[Vercel][]** | Viewer | Developer | Viewer access allows reviewing deployments and checking logs; Developer access after trial. | | |
| > [!NOTE] | |
| > GitHub repository permissions are **not** affected by the trial period. New members receive the same repository-level access as all @nodejs/web-infra members from day one. | |
| | **[Cloudflare][]** | Read | Read | Read-only access is sufficient for day-to-day; during the trial, access requests are coordinated by @nodejs/web-infra with @nodejs/build, who own the Cloudflare account. Elevated access may be granted on a case-by-case basis post-trial. | | |
| | **[Crowdin][]** | Read | Admin | Read access to review translations; admin access after trial. | | |
| | **[Sentry][]** | Read | Admin | Read access to view error reports and logs; admin access after trial. | | |
| | **[Vercel][]** | Viewer | Developer | Viewer access allows reviewing deployments and checking logs; Developer access after trial. | | |
| > [!NOTE] | |
| > GitHub repository permissions are **not** affected by the trial period. New members receive the same repository-level access as all @nodejs/web-infra members from day one. | |
| > Access to external services owned by other teams (for example **[Cloudflare][]**, which is owned by @nodejs/build) is requested on your behalf by an existing @nodejs/web-infra member as part of onboarding. |
| - **Cloudflare**: Read-only access (day-to-day operations generally do not require manual changes) | ||
| - **Vercel**: Viewer-level access (sufficient to review deployments, check logs, and monitor project status) | ||
| - **Sentry, Crowdin, Atlassian Statuspage**: Read-only or limited access | ||
| - **1Password**: Access is not granted during the trial period; credentials may be shared on a case-by-case basis by an existing member for specific tasks |
There was a problem hiding this comment.
The trial-period guidance suggests sharing 1Password-stored credentials “on a case-by-case basis”. Credential sharing reduces accountability/auditability and can violate provider ToS. Consider rephrasing to recommend that an existing member performs the needed action, or that temporary/least-privilege individual access is granted for a specific task instead of sharing credentials.
Suggested change
| - **1Password**: Access is not granted during the trial period; credentials may be shared on a case-by-case basis by an existing member for specific tasks | |
| - **1Password**: Direct access is not granted during the trial period. For tasks requiring secrets or credentials, an existing member should either perform the required action or, where appropriate, grant temporary, least-privilege individual access (for example, via a shared vault or per-service role) instead of sharing their own credentials. |
avivkeller
approved these changes
Feb 7, 2026
|
|
||
| #### Trial Period for New Members | ||
|
|
||
| Upon acceptance, new members of the Web Infra Team enter a **trial period of 3 months** with limited access to infrastructure services. The purpose of this trial period is to ensure new members can demonstrate competence and trustworthiness in managing critical infrastructure before being granted elevated privileges. |
Member
There was a problem hiding this comment.
Suggested change
| Upon acceptance, new members of the Web Infra Team enter a **trial period of 3 months** with limited access to infrastructure services. The purpose of this trial period is to ensure new members can demonstrate competence and trustworthiness in managing critical infrastructure before being granted elevated privileges. | |
| Upon acceptance, new members of the Web Infra Team enter a **trial period of 3 months (90 days)** with limited access to infrastructure services. The purpose of this trial period is to ensure new members can demonstrate competence and trustworthiness in managing critical infrastructure before being granted elevated privileges. |
MattIPv4
suggested changes
Feb 7, 2026
Member
MattIPv4
left a comment
MattIPv4
left a comment
There was a problem hiding this comment.
There is no read-only capability for status page
| - [ ] Grant the **Nominee** _Read-only_ access to Sentry. | ||
| - [ ] The Nominee should enable physical or passkey 2FA on their Sentry account. | ||
| - [ ] Grant the **Nominee** _Read-only_ access to Crowdin. | ||
| - [ ] Grant the **Nominee** _Read-only_ access to the Node.js Status Page. |
Member
There was a problem hiding this comment.
Suggested change
| - [ ] Grant the **Nominee** _Read-only_ access to the Node.js Status Page. |
| - [ ] Elevate the **Nominee** to _Developer_ access on Vercel. | ||
| - [ ] Elevate the **Nominee** to _Admin_ access on Sentry. | ||
| - [ ] Elevate the **Nominee** to _Admin_ access on Crowdin. | ||
| - [ ] Elevate the **Nominee** to _App Admin_ access on the Node.js Status Page. |
Member
There was a problem hiding this comment.
Suggested change
| - [ ] Elevate the **Nominee** to _App Admin_ access on the Node.js Status Page. | |
| - [ ] Grant the **Nominee** _App Admin_ access to the Node.js Status Page. |
|
|
||
| - **Cloudflare**: Read-only access (day-to-day operations generally do not require manual changes) | ||
| - **Vercel**: Viewer-level access (sufficient to review deployments, check logs, and monitor project status) | ||
| - **Sentry, Crowdin, Atlassian Statuspage**: Read-only or limited access |
Member
There was a problem hiding this comment.
Suggested change
| - **Sentry, Crowdin, Atlassian Statuspage**: Read-only or limited access | |
| - **Sentry, Crowdin**: Read-only or limited access |
| | Service | Trial Period Access | Full Access (post-trial) | Notes | | ||
| | ---------------------------- | ------------------- | ------------------------ | -------------------------------------------------------------------------------------------------- | | ||
| | **[1Password][]** | - | Admin | Not granted during trial; credentials shared on a case-by-case basis by an existing member. | | ||
| | **[Atlassian Statuspage][]** | Read | App Admin | Public status page is accessible to everyone; management access is granted after trial. | |
Member
There was a problem hiding this comment.
Suggested change
| | **[Atlassian Statuspage][]** | Read | App Admin | Public status page is accessible to everyone; management access is granted after trial. | | |
| | **[Atlassian Statuspage][]** | - | App Admin | Public status page is accessible to everyone; management access is granted after trial. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a trial period policy for new members of the @nodejs/web-infra team, as proposed in #8.
New Web Infra Team members will undergo a 3-month trial period with reduced permissions across infrastructure services before being granted full access. This ensures that new members can demonstrate competence and trustworthiness while minimizing risk to critical infrastructure.
Changes
GOVERNANCE.mdAdded a new "Trial Period for New Members" subsection under the Web Infra Team section, defining:
PERMISSIONS.mdAdded a new "Trial Period Permissions for New Web Infra Members" section with a comparison table showing trial vs. full access levels for each external service. Clarifies that GitHub repository permissions are unaffected by the trial.
onboarding/web-infra.mdRestructured the onboarding checklist into two phases:
Motivation
As noted in #8, giving new members immediate full access to critical infrastructure services carries unnecessary risk. A trial period:
Fixes #8